BrowserID on Rails

2012-08-19 browserid, ruby

While working on a larger Rails application we thought about enabling
BrowserID/Persona authentication. Here you can find some more
information about what Persona is.

As we are building our application using Rails and doing the authentication
stuff using Devise, I was looking for a way to enable BrowserID in
Devise. I found some solutions to authenticate a user using the email-address
returned by BrowserID but they all failed if the user was not in the database.
So the user had to sign up using the Rails application first to be able to use
Persona authentication.

I wanted to allow even “first time users” using BrowserID so the Warden
strategy has to create the user if it’s not there. We are not using any kind of
username, just the email-address and a password. The email address we get from
BrowserID is a verified one so we don’t have to bother about invalid addresses.

So I built a little warden strategy to sign in a user of create a new one if
the email address is not known yet. That strategy also creates a password for
that user account so the user could theoretically also use the “Reset password”
function and sign in with email address/password and BrowserID simultaneous.
That also works the other way round, so a user who signed up using his email
address and a password could use BrowserID if he adds the email address to his
Persona account.

Together with some other small stuff I published the Warden strategy in a Gem
called devise_browserid_authenticatable and you can find the code at
Github. If you have any feedback, I would be happy to hear it.